RSA Moves on Following Breach that Captured the World's Attention

RSA Executives Discuss the Future of the Company, Say it Added More Than 1,000 New SecurID Customers Following High Profile Breach.

The top executives at RSA, the security arm of data storage giant EMC, say the company has moved on from the breach that cost it millions of dollars, and triggered a wave of fear and concern across the industry. SecurityWeek attended a briefing last week a RSA’s headquarters in Bedford, Mass., and among the topics discussed, was the future of the company, and some insight into the breach itself.

As it turns out, the attack on RSA had a strong silver lining. After all, if RSA can get hacked, so could anyone, its customers remarked, according to Executive Chairman Art Coviello. With that said, Coviello spent a good part of 2011 talking to other business leaders and organizations about the incident, helping them learn from the attack, and of course drumming up business as well.

“We need to do a better job of cooperating among vendors, government, and industry and private sector, if we are going to reap the benefits of all of the technology that has been implemented over the last ten years,” Coviello remarked.

In early 2011, things looked bad on the security front. It started when Anonymous attacked HBGary, a month later, parties unknown attacked RSA. After that it was a cycle of breaches, including Sony, Lockheed, the IMF, DigiNotar, etc.

To lump all of these attacks together misses the point, Coviello noted, because they are different attackers with different methods and motivations. So it’s important for those charged with protecting corporate assets, to understand who might attack, why and how. Understanding these things has a large impact in how defenses are built within an organization.

“Too often in security, risk and security are looked at from the inside out, and not the inside in. You really need to do both,” Coviello said.

In the eyes of RSA’s Executive Chairman, there are three levels of adversaries; the first being a nation state (who targets a company’s secrets), hacktivists (who target companies in order to embarrass them), and then organized criminals (who target companies for financial gain).

These three descriptions seemed to play a key role in RSA’s move forward after the breach. The outline Coviello gave during his presentation was one that would benefit many business leaders who looked to RSA after the incident to provide answers. It was high-level enough so that anyone could follow along, but with enough detail to make a point.

“Not surprisingly, because of the breach, and the lessons that we learned here at RSA, we were in a fair amount of demand to talk to companies about the lessons that we learned, about the capabilities that we were developing as a result of the attack, [and] the knowledge that we had. Many [of those requesting to speak to RSA] had been attacked themselves, so they were very interested in comparing notes,” he said.

“So this is very much a universal problem. It’s not a question of whether or not you have been breached; it’s a question of when you might ultimately be breached. Because the parameter defenses that have existed for so many years, that we’ve been saying are not adequate are being exposed day in and day out.”

In fact, during the discussion it was learned that a major bank had brought Coviello in to talk about these types of attackers and the threats to the financial industry they represent. More importantly, the bank wanted to know what to do about them.

His point, to put it succinctly, is that security has to change. It has to be more agile and intelligence based. It has to be positioned to respond faster, and shrink the vulnerability window and mitigate the most damage possible. Security should be automatic and incident response needs to shift to real-time reporting and mitigation.

After Coviello was done with his part of the presentation, Tom Heiser, RSA’s President, and Eddie Schwartz, RSA’s CISO, talked about some of the lessons learned in the aftermath of the breach, and how the company has used them to gain forward momentum.

“It was hell to live though what we did, it was extremely stressful. But the things that I do reflect upon at the time, are things like the team pulling together,” Heiser explained.

At the time, engineers were brought in from Israel, and the staff in its operations centers were being fueled by caffeine and food, as they pulled their 24/7 shifts. It was during this time that RSA’s executives developed a three stage plan, in order to respond to the incident, recover from it, and use it to push forward in an act of resurgence.

“We need to figure out how we’re going to get out of this. What are we going to do? We were just getting pummeled,” Heiser said, explaining the thought process at the time.

It started just after the breach, in March of 2011. “As I recall, it wasn’t debated,” Heiser said about the move to disclose the breach to the public.

There were efforts, paramount to triage, which involved dealing with customers and pulling partners into the mix. It was at this point their crisis management processes were fully tested.

At the time, the aims were to be as transparent as possible, while keeping sensitive information from coming out. To this day, RSA still has not been fully open on the entire nature of the breach and what was taken. However, despite this, RSA increased the manufacturing of SecurID tokens, purchasing 6-8 robots to boost production seven-fold from March to August 2011.

Aside from Lockheed, “there is no one that we know of that has had an actual active attack, due to [the breach at] RSA. Period,” Heiser told the press gathering.

Once the initial shock and reaction had taken place, RSA moved into recovery mode. It was during this stage that customers were asking for information. The company knew that it couldn’t live in crisis management and response mode forever. It was time to take steps and move forward.

By June, it was determined that RSA had to go from reactive to proactive. It was determined, after much debate, to go out to the public and talk about the incident and start sharing information. By the end of the year, RSA would host 15-20 summits on the incident and discuss their products and response to the incident.

Today, RSA continues to turn the breach into a learning experience, and is seeing a larger demand for its products. In fact, after the breach, RSA has added some 1,000 new SecurID customers to its client base, protecting some 350 million identities worldwide. In addition, RSA has started to work towards better advancement and innovation, as well as collaboration, and information sharing.

In a Q&A session, it was learned that the reason that RSA will not comment on the identity of their attackers, or even offer speculation, is the lack of quality intelligence. The trail got cold when RSA investigated the breach. They concluded it was a nation state, but will not confirm or deny the speculation that China was responsible, or any other nation for that matter, without solid facts.

Looking ahead, RSA is focusing on stronger intelligence controls and automated threat response. This can be accomplished, with a smarter emphasis on virtualization within the enterprise, and leveraging the existing tools. RSA plans to help this with the development of Pegasus, its next wave of cloud-based protection solutions.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.